The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Tuesday, January 5, 2016

OWASP Projects - Global Improvements & Benchmark Specifics

January 5, 2016

Hello OWASP Community:

This is an update to the Community about the Board’s evaluation of concerns and complaints from the OWASP Community about both vendor neutrality and marketing activities around the OWASP Benchmark project.

In October, several Board members met face to face with the Benchmark project leaders and representatives from the vendor involved and expressed our deep concern about the marketing activities and neutrality of the project. The discussions were frank and open on both sides and demonstrated the willingness of both parties to collaborate on a solution.

In November, the OWASP Board dedicated a two hour meeting to the issues identified by the Benchmark project and worked to make a plan of action including:

Updating the OWASP Project review processes to clarify specific criteria for graduation from Incubator to Lab status to ensure all projects are vendor independent and have multiple community supporters, including the OWASP Benchmark project.

Overhauling the OWASP Branding Guidelines to bring them in line with industry standards and protect the Foundation’s image with clarifying language on how the OWASP brand can and cannot be used.

At the December 9 OWASP Board meeting, the Board took the following actions. Our intent is to protect the integrity of the OWASP Project outputs, while also encouraging and stimulating innovation via OWASP Project research, development and discovery.

Specifically, the Board believes the Benchmark Project is a beneficial tool worthy of further development and updates. Therefore, it will be moved back to Incubator status until requirements for multiple community supporters and vendor independence are met.

These actions represent consensus agreement among board members. As a general statement, the OWASP Board is not comfortable with the way that the OWASP Benchmark, which is an early stage and technically limited project, was originally used to promote a vendor tool.

In summary, we continue to take the quality of OWASP Projects as a serious issue. The OWASP Community has a major role in that effort by participating on the Project review team and providing feedback during Project review & graduation evaluations. While this project had a specific issue to resolve, it did highlight the need for further updates and improvements in the OWASP policies surrounding all Projects. We appreciate the engagement of the community and welcome further input.